[Hiring] Technical GRC Specialist @Capacity

Role Description

We are looking for an experienced software-as-a-service (SaaS) security practitioner to join our growing Governance, Risk & Compliance (GRC) team. This role will primarily take ownership of our security hardening standards and our Third-Party Risk Management (TPRM), focusing on proactive improvements in cybersecurity, ensuring audit readiness, and scaling GRC processes through automation.

This is a high-impact role suited to someone who wants to influence cybersecurity at scale, enjoys working cross-functionally, and is able to balance strong risk management with commercial pragmatism.

You will work closely with operational stakeholders across the organization, helping strengthen our overall security posture, including vendor assurance, while enabling the business to move safely and quickly.

Responsibilities

• Security Hardening & Technical GRC
  • Provide hands-on support in the assessment, improvement, and maintenance of technical security baselines based on industry best practices (e.g., NIST, CIS, ISO).
  • Ensure these configurations satisfy global regulatory mandates (e.g., HIPAA, GDPR).
  • Leverage automated tools to monitor security and compliance posture.
  • Act as a GRC interface with Infrastructure and Engineering teams to ensure hardening requirements are technically feasible and effectively implemented.
• Third-Party Risk Management
  • Manage and continuously improve the company’s Third-Party Risk Management programme across suppliers, vendors, and strategic partners.
  • Own end-to-end due diligence processes for new and existing vendors, including inherent risk assessments, security/privacy reviews, and ongoing monitoring.
  • Review vendor assurance documentation such as ISO 27001 certificates, SOC 2 reports, penetration test summaries, policies, and compliance evidence.
  • Identify, document, and communicate vendor risks, remediation actions, and approval recommendations.
  • Maintain risk tiering and reassessment schedules for critical and high-risk vendors.
  • Act as a trusted partner to internal stakeholders during vendor onboarding, renewals, and procurement decisions.
  • Engage directly with suppliers to resolve due diligence issues and drive remediation.
• GRC Operations & Improvement
  • Maintain audit-ready documentation within GRC systems.
  • Support team members as necessary with global and contractual compliance efforts, as well as internal and external audits.
  • Contribute to security and compliance policy, process, and control improvements.
  • Identify opportunities for automation, simplification, and improved GRC tooling.

What success looks like in the first 12 months

• Strong audit readiness with high-quality, reliable technical evidence.
• Effective use of GRC tooling to automate and streamline compliance processes.
• Mature and efficient Third-Party Risk Management workflows.
• Improved turnaround times for vendor assessments and internal requests.
• Clear visibility of cybersecurity control effectiveness and risk posture.
• Reduced manual effort through automation and improved processes.

Qualifications

• 3+ years’ experience in compliance, GRC, vendor risk management, information security, internal audit or related fields.
• Proven experience in cybersecurity and managing third-party/vendor due diligence programmes.
• Strong understanding of common assurance frameworks such as ISO 27001, SOC 2, NIST or equivalent.
• Good working knowledge of UK GDPR / privacy considerations in supplier relationships.
• Familiarity with cloud/SaaS environments and common systems (e.g. identity providers, cloud platforms, collaboration tools).
• Experience reviewing supplier security documentation and identifying practical risks.
• Strong organisational skills with the ability to manage multiple priorities independently.
• Excellent written and verbal communication skills; proficient in English.

Desirable

• SaaS / software industry experience.
• Experience in a multi-entity or fast-growth business environment.
• Familiarity with Vanta or other GRC tools.
• Relevant certifications (e.g. ISO 27001 Lead Implementer/Auditor, CISM, CRISC, CIPM, CIPP/E).

What you can expect from us

• Private health insurance
• Profit Interest Unit Appreciation Rights
• 25 days paid leave
• Pension
• Group life assurance
• Group income protection
• Flexible work environment
• A supportive, diverse workplace where we prioritize respect for each other and our clients
• A fun and collaborative team culture

Salary range

The expected base salary for the Technical GRC Specialist role is between £50,000 and £65,000; actual salary will be commensurate with a candidate's experience, skill and location.

But wait, there’s more!

At Capacity we believe in more than just building amazing products and helping our customers. Although we are a remote workforce, we remember the neighborhood where we started. We still strive to elevate our community by furthering access to education and careers in the tech space. Our affiliated nonprofit, Create A Loop, brings rigorous computer science courses to underserved communities with little to no access to formal computer science education. There are many opportunities for our Capacity team members to serve and educate our Create A Loop students throughout the year.